New CAS metadata support in 3.4

Marvin Addison serac at
Tue Nov 27 07:57:29 EST 2018

On Mon, Nov 26, 2018 at 9:20 PM Paul B. Henson <henson at> wrote:
> So I changed my release policy to be a regex:
> <PolicyRequirementRule xsi:type="RequesterRegex"
> regex="^https?://(login\.)?proxy(-dev)?\.library\.cpp\.edu/login.*" />
> and that worked; that's actually the exact regex I had in
> cas-protocol.xml defining the service before I started testing using
> metadata instead... To clarify, is this how it's supposed to work?

Yes. The entity ID is simply a unique identifier, but the CAS protocol
machinery carries around the exact service URL passed to it by the
client, which can vary dramatically based on specific usage scenarios.
As such it is the basis for all policy decisions, including attribute
release. I realize that it may be helpful if not desirable to define
policy by entity ID as with SAML, but that would require a pretty
significant analysis and possibly refactoring that feels more
appropriate for 4.0. It might turn out to be a minor change, but I
can't say either way without taking the time to analyze and map out a
plan. Would you mind filing an improvement issue for that?


More information about the users mailing list